Data Protection and Privacy Laws- The Position in India, EU and The United States
As understood, the Supreme Court of India in the landmark case of K.S. Puttuswamy v. UOI1 held that data privacy is a facet of right to privacy and thus, it is a fundamental right which is well-protected under the ambit of Article 21 of the Indian constitution. Information privacy as being a part of the fundamental right, there is an urgent need to protect such personal and sensitive information that constitutes the private data from being abused or raided without authorization and therefore, every nation needs a law that protects this very data.
Data protection laws are simply those sets of rules, policies, and procedures that reduce the chances of an abuser or violator intruding the sensitive data of an individual. These laws tend to govern the collection, storage, and dissemination of huge chunks of data.
Globally, most of the nations have understood the technicalities and threats of the new information-intensive environment that has been created due to creation of heavy amounts of data, however, only few countries have been able to counter these problems with introducing and implementing specific legislations.
In this article, an analysis has been made of the legal framework available in three data rich countries so that the nations that are yet to introduce laws in this subject can take the direction of these frameworks to create an exhaustive framework for their nations.
India on data protection laws
With the current framework of rules and regulations in India, preventing the abuse of digital privacy is almost utopian. The laws like Information Technology Act of 2000, IPC 1860, IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, etc. are non-exhaustive, non-stringent, and are very generalized to govern the subject matter of digital security in India and further these legislations have not covered the suitable provisions to govern the aspect of information and data privacy. Moreover, the digital economy in India is anticipated to reach a valuation of $1 trillion dollars by the year 20222 so the risk occurrence level anticipated is high. Certainly, a paradigm shift is needed in data laws that can direct the legal framework towards attaining an exhaustive set of procedural compliance which is technically efficient, economically sound, legally justifiable, and ethically sustainable.
On a similar note, currently there is a Personal Data Protection Bill that has been kept pending since 2019 and is now being referred to the Standing Committee for its report.3 If the Bill turns out to be a legislative Act, this will turn out to be the first cross-sectoral legal framework that is available for data protection in India. The Bill aims to provide for the protection of personal data of individuals and establishes a Data Protection Authority for the same.
This Bill has a broad scope of applicability as the Bill governs processing of personal data firstly, by the Government, secondly, by the companies that are incorporated in India, and thirdly, by the foreign companies which are dealing with personal data of individuals in India. The provisions of the Bill also ensure that the sufficient protective rights are handed over in the hands of individuals to protect their sensitive data from being abused.4
This Bill came as a development to the 2017 Committee of experts headed by Justice B.N. Srikrishna which was constituted in order to examine various issues related to data protection in India.5The Bill has been an attempt to change the data privacy dynamics in India. Critics have pointed out that this Bill, if passed, can act as a tool to balance the imperatives of protecting privacy and ensuring innovation and productivity growth. Treating privacy as an end goal, this legal framework is preventive and highly regulated, however, on the contrary, it is also a tool for the Government to enjoy and strengthen its over-reaching power of conducting surveillance.
European Union on Data Protection Laws
The popular connotation, the GDPR stands for General Data Protection Regulation6 and it’s this regulation that governs the safety of data and privacy in the European Union as well as in the European Economic Area. This regulation replaces the previous European governing Data Protection Directive, 1995, and came into force on the 25th of March 2018 to harmonize the standing need of data security framework across the EU.7
Undeniably, India’s Personal Data Protection Bill, 2019 is heavily relied on the GDPR framework8 and most of the provisions in the Indian Personal Data Protection Bill are just borrowed from the GDPR framework because of the latter’s superiority and efficiency in dealing with the subject matter of data protection in depth.
GDPR is currently seen as one of the strongest frameworks across the globe that protects the data of an individual from being abused by any other person and this framework has also been hailed for its wide extraterritorial applicability across Europe.
This regulation has stressed on the needs of higher scrutiny and liabilities on ‘data controllers’ and ‘data processors’. It has also included the different facets of data rights like the ‘right to be forgotten’, ‘right to data probability’, ‘right to access, etc. Further, the requirement of satisfaction of prior consent for data processing of personal data has also been added in the Regulation.
Undoubtedly, the GDPR framework has been hailed and praised by the cyber law specialists in Europe for its efficient implementation to curb the cyber security breaches in European countries9. The Regulation has changed the discourse of ethics in matters related to sensitive data and has reduced the spread of data-misuse by a great extent. As per the report of Centre for Information Policy leadership that analyzed the GDPR functioning for the very first year10, the report held that the Regulation was able to bring organizational accountability and addressed global privacy management standards for the organization by ensuring higher data privacy awareness and ownership.
Nonetheless, as the Regulation is still is in an embryonic stage, there are many issues that are yet to be tackled and they still pose as a challenge to the implementation of this timely Regulation, however, it is expected that with time, the fallacies will be addressed and this Regulation shall act as a grundnorm in curbing the 21st generation data security threat.
United States on Data Protection Laws
Currently, The US does not have any central federal level data protection law but certainly, it has data privacy laws to protect the data within its territory for a very long time. In the US, the data is governed through different vertically-focused federal privacy laws and consumer-oriented privacy laws as enacted in different states of the US11
Since 1974 through the US Privacy Act, the US has always understood the changing dimensions of technology. With time, it has implemented different sector-specific legislations like, Driver’s Privacy Protection Act, 1994 Health Insurance Portability and Accountability Act (HIPAA), 1996, Gramm-Leach-Bliley Act (GLBA), 1999 Children’s Online Privacy Protection Act (COPPA), 2000, etc. which had a pertinent role in protecting the privacy and security of data in desired sectors for which these legislations have been enforced to govern.
Considerably, the US has also not missed the recent wave of changes in data protection laws and it has tried to match the wavelength of the legislations like GDPR and Personal Data Protection Bill, 2019.
The California Consumer Privacy Act, 2018 (CCPA) is one such state-specific law present in the US that has strong data security and preventive features like the EU’s GDPR framework. This Act extends the consumer privacy protections to the internet and is one of the most comprehensive internet-focused data privacy legislations to have been implemented in any state of the US12. This Act has features like ‘right to delete’, ‘right to access through a data subject access request’, a broad definition of personal information, introduction to probabilistic identifiers, etc.
However, as this is a state legislation that has jurisdiction limited to California; this Act has been used as a precedent for other US states to implement their data protection laws on a similar note. The New York Privacy Act (not yet enacted and enforced) contains similar and stronger provisions than the CCPA.13
The Massachusetts Data Breach Notification Law is another state-specific law that governs security requirements for those companies that handle the private data of its residents. Likewise, other states including Hawaii, North Dakota, and Maryland have a similar framework to protect consumer privacy and to inbuilt data security legislations. The US should aim to have a federal-level data protection framework as it will bring uniformity within all the US states and will also help the companies to comply with federal-specific provisions rather than complying with different state-specific provisions.
Nonetheless, for the time being, state-specific data security legislations that are enforced will help in protecting and securing the data of the US users..
The data should not become just a tool for prospering the concept of surveillance capitalism. It should rather advocate for strict compliance and adherence to data security laws. These data security and privacy laws are the only instrument that can create a line of division between fact and fiction in regard to fair-use of data.
Having moved to a fast paced digital culture where we generate heavy amounts of data and rely on data for most part of our lives, the data privacy legislations are an urgent requirement to be enacted earnestly which balances security interests on one side and the interest of the people on the other.
Therefore, a conducive data security framework has become the need of the hour for the countries to introduce, enforce and implement in order to protect the basic fundamental rights of their citizens from being violated.